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0> ■ Abstract 

' We consider exceptional APN functions on ¥2^. , which by definition are 

, functions that are APN on infinitely many extensions of . Our main 

result is that polynomial functions of odd degree are not exceptional, 
provided the degree is not a Gold number (2*^ + 1) or a Kasami- Welch 
' number (4*^ — 2'^ + 1). We also have partial results on functions of even 

^ ! degree, and functions that have degree 2'^ + 1. 



1 Introduction 

Let L = ¥q with q = 2^ for some positive integer n. A function / : L — > L 
is said to be almost perfect nonlinear (APN) on L if the number of solutions 
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Grant 06/MI/006 
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in L of the equation 

f{x + a) + f{x)=h 

is at most 2, for all a,b £ L, a ^ 0. Equivalently, / is APN if the set 
{/(x + a) + f{x) : X £ L} has size at least 2"'"^ for each a S L*. Because L 
has characteristic 2, the number of solutions to the above equation must be 
an even number, for any function / on L. 

This kind of function is very useful in cryptography because of its good 
resistance to differential cryptanalysis as was proved by Nyberg in [5]. 

The best known examples of APN functions are the Gold functions x^''"''^ 
and the Kasami- Welch functions x^ These functions are defined over 

F2, and are APN on any field where gcd{k,'m) = 1. 

If / is APN on L, then / is APN on any subfield of L as well. We 
will consider going in the opposite direction. Recall that every function 
/ : L — > L can be expressed as a polynomial with coefficients in L, and 
this expression is unique if the degree is less than q. We can "extend" / 
to an extension field of L by using the same unique polynomial formula to 
define a function on the extension field. With this understanding, we will 
consider functions / which are APN on L, and we ask whether / can be APN 
on an extension field of L. More specifically, we consider functions that are 
APN on infinitely many extensions of L. We call a function / : L — > L 
exceptional if / is APN on L and is also APN on infinitely many extension 
fields of L. The Gold and Kasami- Welch functions are exceptional. 

We make the following conjecture. 

Conjecture: Up to equivalence, the Gold and Kasami- Welch functions 
are the only exceptional APN functions. 

Equivalence here refers to CCZ equivalence; for a definition and discus- 
sion of this see [1] for example. 

We will prove some cases of this conjecture. It was proved in Hernando- 
McGuire [2] that the conjecture is true among the class of monomial func- 
tions. Some cases for / of small degree have been proved by Rodier [6]. 

We define 

^ _ f{x) + f{y) + f{z) + f{x + y + z) 
{x + y){x + z){y + z) 

which is a polynomial in Fg[x, y, z]. This polynomial defines a surface X in 
the three dimensional affine space A'^. 

If X is absolutely irreducible (or has an absolutely irreducible component 
defined over ¥q) then / is not APN on F^n for all n sufficiently large. As 
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shown in [6], this follows from the Lang- Weil bound for surfaces, which 
guarantees many F^n-rational points on the surface for all n sufficiently 
large. 

Let X denote the projective closure of X in the three dimensional pro- 
jective space P^. If iif is a another projective hypersurface in P^, the idea of 
this paper is to apply the following lemma. 

Lemma 1.1 If X f] H is a reduced (no repeated component) absolutely ir- 
reducible curve, then X is absolutely irreducible. 

Proof: If X is not absolutely irreducible then every irreducible compo- 
nent of X intersects H in a variety of dimension at least 1 (see Shafarevich 
[71 Chap. I, 6.2, Corollary 5]). So X n is reduced or reducible. 

□ 

In particular, we will apply this when H is a hyperplane. In Section 2 
we study functions whose degree is not a Gold number {2^ + 1) or a Kasami- 
Welch number (4'^ — 2'^ + 1). In Section 3 we study functions whose degree 
is a Gold number - this case is more subtle. 

The equation of X is the homogenization of (f>{x, y, z) = 0, which is 
4>{x, y, z,t) = say. If f{x) = Yl'j=o ^i^^ write this as 

d 

'4>{x,y,z,t) = ^aj(t)j{x,y,z)t'^~^ 

3=3 

where 

, / . x^ + y^ + + {x + y + zy 
(Pj[x,y,z} = — - — ■ — -- — ■ — -- — ■ — - — 

[x + y){x + z){y + z) 

is homogeneous of degree j — 3. We will later consider the intersection of X 
with the hyperplane z = 0, and this intersection is a curve in a two dimen- 
sional projective space with equation ^(x, y, 0, t) = 0. An affine equation of 
this surface X is (p{x, y, z, 1) = (p{x, y, z) = 0. 

A fact we will use is that if f{x) = then 

4'{x,y,z)= Jl {x + ay + {a + l)z). (1) 

This can be shown by elementary manipulations (see Janwa, Wilson, |3l 
Theorem 4]). 
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Our definition of exceptional APN functions is motivated by tlie defi- 
nition of exceptional permutation polynomials. A permutation polynomial 
/ : ¥q — > ¥q is said to be exceptional if / is a permutation polynomial on in- 
finitely many extensions of ¥q. One technique for proving that a polynomial 
is not exceptional is to prove that the curve 4>{x,y) = {f{y) — f{x))/{y — x) 
has an absolutely irreducible factor over Fg. Then the Weil bound applied 
to this factor guarantees many Fgn -rational points on the curve for all n 
sufficiently large. In particular there are points with x 7^ y, which means 
that / cannot be a permutation. 

The authors thank the referee for relevant suggestions. 

2 Degree not Gold or Kasami- Welch 

If the degree of / is not a Gold number 2^^ + 1, or a Kasami- Welch number 
4*^ — 2'^ + 1, then we will apply results of Rodier [6] and Hernando-McGuire 
[2j to prove our results. 

Lemma 2.1 Let H he a projective hypersurface. If X f] H has a reduced 
absolutely irreducible component defined over ¥q then X has an absolutely 
irreducible component defined over¥q. 

Proof: Let Yh be a reduced absolutely irreducible component oi X n H 
defined over ¥q. Let Y be an absolutely irreducible component of X that 
contains Yh- Suppose for the sake of contradiction that Y is not defined over 
¥q. Then Y is defined over ¥qt for some t. Let a be a generator for the Galois 
group Gal{¥qt /¥q) of ¥qt over ¥q. Then cr{Y) is an absolutely irreducible 
component of X that is distinct from Y. However, ^(Y) 5 cr{YH) = Yh, 
which implies that Yh is contained in two distinct absolutely irreducible 
components of X. This means that a double copy of Yh is a component of 
X, which contradicts the assumption that Yh is reduced. □ 

Lemma 2.2 Let H be the hyperplane at infinity. Let d he the degree of f . 
Then X f] H is not reduced if d is even, and X f] H is reduced if d is odd 
and f is not a Gold or Kasami- Welch monomial function. 

Proof: Let (j)d{x, y, z) denote the (j) corresponding to the function x'^. In 
X f] H we may assume (j) = (pd- 

If d is odd then the singularities of X n if were classified by Janwa- 
Wilson [3]. They show that the singularities are isolated (the coordinates 
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must be {d— l)-th roots of unity) and so the dimension of the singular locus 
of X n is 0. 

Suppose d is even and write d = 2^e where e is odd. In X f] H we have 

{x + y){x + z){y + z)(pdix,y,z) = x'^ + y'^ + z"^ + {x + y + z)'^ 

= ix'' + y' + z' + {x + y + zff 

= {{x + y){x + z){y + z)(t)e{x,y,z)f\ 

Therefore 

(j)d{x, y, z) = (/>e(x, y, zf {{x + y){x + z){y + z)f'~'^ 

and is not reduced. □ 

Here is the main result of this section. 

Theorem 2.3 // the degree of the polynomial function f is odd and not 
a Gold or a Kasami-Welch number then f is not APN over ¥qn for all n 
sufficiently large. 

Proof: By Lemma fl?2\ X r\ H is reduced. Furthermore, we know by [2j 
that X r\H has an absolutely irreducible component defined over Fg, which 
is also reduced. Thus, by Lemma |2. 11 we obtain that X has an absolutely 
irreducible component defined over Fg. As discussed in the introduction, 
this enables us to conclude that / is not APN on F^n for all n sufficiently 
large. □ 

In the even degree case, we can state the result when half of the degree 
is odd, with an extra minor condition. 

Theorem 2.4 If the degree of the polynomial function f is 2e with e odd, 
and if f contains a term of odd degree, then f is not APN over F^n for all 
n sufficiently large. 

Proof: As shown in the proof of Lemma 12.21 in the particular case where 
d = 2^e with e odd and j = 1, we can write 

(j)d{x, y, z) = (l)e{x, y, zf{x + y){x + z){y + z). 

Hence, x + y = is the equation of a reduced component of the curve 
= X r\ H with equation (pd = ^ where H is the hyperplane at infinity. 
The only absolutely irreducible component Xq of the surface X containing 
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the line a; + y = in is reduced and defined over F^. We have to show 
that this component doesn't contain the plane x + y = 0. 

The function x + y doesn't divide (j){x, y, z) if and only if the function 
{x + y)^ doesn't divide f{x) + f{y) + f{z) + f{x + y + z). Let x*" be a term 
of odd degree of the function /. We show easily that (x + y)^ doesn't divide 
x^ + y'^ + + {x + y + zY by using the change of variables s = x + y which 
gives: 

x'' + ?/ + z'' + {x + y + zY = s{x''~'^ + z'""^) + s^P 

where P is a polynomial. 

Hence X has an absolutely irreducible component defined over and 
then / is not APN on ¥qn for all n sufficiently large. 

□ 

Remark: This theorem is false if 2e is replaced by 4e in the statement. A 

counterexample is x^'^ + cx^, where c G F4 satisfies + c + 1 = 0, which is 
APN on F4n for any n which is not divisible by 3, since it is CCZ-cquivalcnt 
to x^' . Indeed this function is defined over F4, and is equal to L o /, where 
f{x) = x^ and L(x) = x^ + ex. Certainly L is F4-linear, and it is not hard 
to show that L is bijective on F4n if and only if n is not divisible by 3. 
The graph of x^ is {(x,x^) | x G F4n} and it is transformed in the graph 
of x^^ + cx^ which is {(x,x^^ + cx^) | x G F4n} by the linear permutation 
Id X L where Id is the identity function. So when n is not divisible by 3, 
L o / is APN on F4n because / is APN. This example shows in particular 
that our conjecture has to be stated up to CCZ-equivalence. 

3 Gold Degree 

Suppose the degree of / is a Gold number d = 2*^ + 1. Set d to be this value 
for this section. Then the degree of (/) is d — 3 = 2^^ — 2. 

3.1 First Case 

We will prove the absolute irreducibility for a certain type of /. 

Theorem 3.1 Suppose /(x) = x*^ + g{x) where deg{g) < 2'^~^ + 1 . Let 

g{x) = X]j=o CLjX^ ■ Suppose moreover that there exists a nonzero coeffi- 
cient ttj of g such that (pj{x,y,z) is absolutely irreducible. Then (p{x,y,z) is 
absolutely irreducible. 
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Proof: We must show that (pix, y, z) is absolutely irreducible. Suppose 
(j){x,y,z) = P{x,y, z)Q{x,y, z). Write each polynomial as a sum of homo- 
geneous parts: 

d 

J2aj^j{x,y,z) = {Ps + Ps-i + ■ ■ ■ + Po){Qt + Qt-i + ■ ■ ■ + Qo) (2) 
j=3 

where Pj, Qj are homogeneous of degree j. Then from ([T|) we get 
PsQt= n {x + ay + {a + l)z). 

In particular this implies that Pg and Qt are relatively prime as the product 
is made of distinct irreducible factors. 

The homogeneous terms in ([2]) of degree strictly less than d — 3 and 
strictly greater than 2^~^ — 2 are 0, by the assumed bound on the degree of 
g. Equating terms of degree s + t — 1 in the equation ([2j) gives PgQt-i + 
Ps-iQt = 0. Hence Pg divides Pg-iQt which implies Ps divides Pg-i because 
gcd{Ps,Qt) = 1, and we conclude Pg-i = as degPs_i < degP^. Then we 
also get Qt-i = 0. Similarly, Ps_2 = = Qt-2, Ps-3 = = Qts, and so on 
until we get the equation 

PsQo + Ps-tQt = 

where we suppose wlog that s > t. (Note that when s > t, one gets from 
s + t = d — 3 that s > (d — 3)/2 and t < {d — 3)/2, and the bound on deg(5') is 
chosen: deg{g) < t + 3 < 2'^~^ + 2.) This equation implies Ps divides Pg-tQt, 
which implies Ps divides Ps-t, which implies Pg^t = 0. Since 7^ we must 
have Qo = 0. 

We now have shown that Q = Qt is homogeneous. In particular, this 
means that (j)j {x, y, z) is divisible hy x + ay + {a + l)z for some a € — ¥2 
and for all j such that Uj 7^ 0. We are done if there exists such a j with 
{x, y, z) irreducible. 

□ 

Remark: The hypothesis that there should exist a j with (f>j{x,y,z) is 
absolutely irreducible is not a strong hypothesis. This is true in many cases 
(see the next remarks). However, some hypothesis is needed, because the 
theorem is false without it. One counterexample is with g(x) = x^ and k > 4 
and even. 

Remark: It is known that (pj is irreducible in the following cases (see [1]): 
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• j = 3 (mod 4); 

m j = 5 (mod 8) and j > 13. 

Remark: The theorem is true with the weaker hypothesis that there exists 
a nonzero coefficient aj such that (j)j{x, y, z) is prime to (t)d (recall d = 2'= + !). 
This is the case for 

• J = 2^ ' + 1 is a Gold exponent with r prime to k; 

• J is a Kasami exponent (see |3i Theorem 5]); 

• j = 2^e with e odd and e is in one of the previous cases. 

Example: This applies to x'^'^+g{x) where g{x) is any polynomial of degree 
< 17. 

Remark: The proof did not use the fact that / is APN. This is simply a 
result about polynomials. 

Remark: The bound deg{g) < 2^~^ + 1 is best possible, in the sense that 
there is an example with deg{g) = 2^^"^ + 2 in Rodier [6] where (j) is not 
absolutely irreducible. The counterexample has k = 3, and f{x) = + 
ax^ + a^x^. We discuss this in the next section. 

3.2 On the Boundary of the First Case 

As we said in the previous section, when f{x) = x^'^'^^ + g{x) with deg{g) = 
2^^^ + 2, it is false that (p is always absolutely irreducible. However, the 
polynomial (j) corresponding to the counterexample f{x) = + ax^ + a^x^ 
where a G¥q factors into two irreducible factors over F^. We generalize this 
to the following theorem. 

Theorem 3.2 Let q = 2". Suppose f{x) = x'^ + g{x) where g{x) G Fg[x] 
and deg{g) = 2^~^ + 2. Let k he odd and relatively prime to n. If g{x) does 
not have the form ax'^'' ^"^^ + a^x^ then cf) is absolutely irreducible, while if 
g{x) does have the form ax"^ "'"^ + a^x'^ then either (j) is irreducible or <p 
splits into two absolutely irreducible factors which are both defined overFq. 

Proof: Suppose (/)(x, y, z) = P{x, y, z)Q{x, y, z) and let 

9{x) = ^ ajx\ 

j=0 
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Write each polynomial as a sum of homogeneous parts: 



d 



aj(f>j{x, y, z) = {Ps + P,_i + • • • + Po){Qt + Qt-i + • • • + Qo)- 

J=3 



Then 



PsQt= n ix + ay + il + a)z). 

In particular this means Pg and Qt are relatively prime as in the previous 
theorem. We suppose wlog that s >t, which implies s > 2*^""^ — 1. Compar- 
ing each degree gives Pg-i = = Qt-i, Ps-2 = = Qt-2-i and so on until 
we get the equation of degree s + 1 

PsQi + Ps-t+iQt = 

which implies Ps-t+i = = Qi. If s ^ t then s > 2'^~^. Note then that 
as+3^s+3 = 0. The equation of degree s is 

PsQo + Ps-tQt = 0,s+3<ps+3 = 0. 

This means that Pg-t = 0, so Qq = 0. Wc now have shown that Q = Qt 
is homogeneous. In particular, this means that (p{x, y, z) is divisible by 
X + ay + {1 + a)z for some a G F2fc — F2, which is impossible. Indeed, 
since the leading coefficient of g is not 0, the polynomial 4>2k-i^2 occurs in 
(j); as (^2'=-i+2 — 4'2k-2^iix + y)(y + z){z + x), this polynomial is prime to 
(p, because if x + ay + (1 + a)z occurs in the two polynomials ^2*=-i+2 ^^d 
02fc+i, then a would be an element of F2fc n F2fc-2 = F2 because k is odd. 
Suppose next that s = t = 2*^"^ — 1 in which case the degree s equation 

is 

PsQo + PoQs = as+3(t)s+3- 



which implies that 

(p{x, y, z) = ad(j)d{x, y, z) + a2fe-i+2^2'=-i+2(2^> y> = PsQt + PoQt 



If Qo = 0, then 



d 




j=3 



9 



and Pq / 0, since 5 / 0. So one has (/>2fc-i+2 divides cpdix , y , z) which is 
impossible as 

(?i'2fe-i+2 = (plk-2+-i^{x + y){y + z){z + x). 

We may assume then that = Qo^ and we have (/'2fc-i+2 = 0- Then we 
have 

ck{x,y,z) = {P^ + Pq)(Q^+Qq)=P,Q, + Pq{P,+Q,)+pI (3) 

Note that this imphes aj = for all j except j = 3 and j = s + 3. This 
means 

So if f{x) does not have this form, this shows that (j) is absolutely irreducible. 

If on the contrary cj) splits as {Pg + Po)iQs + Qo), the factors Ps + Pq and 
Qs + Qo are irreducible, as can be shown by using the same argument. 

Assume from now on that f{x) = x'^ + ag+sx''^'^^ + a^x^ and that ([3]) 
holds. Then 03 = Pq, so clearly Pq = y/a^ is defined over Fg. We claim that 
Pg and Qs are actually defined over F2. 

We know from ([T]) that PgQs is defined over F2. 

Also Po{Ps + Qs) = as+30s+3, so Ps + Qs = {as+3/y/aE)(j)s+3- On the 
one hand, Pg + Qs is defined over F2fc by ([T]). On the other hand, since (ps+s 
is defined over F2 we may say that Ps + Qs is defined over ¥q. Because 
{k,n) = 1 we may conclude that Pg + Qs is defined over F2. Note that the 
leading coefficient of Pg + Qs is 1, so a1_^_^ = 03. Whence if this condition is 
not true, then (j) is absolutely irreducible. 

Let a denote the Galois automorphism x 1— > x'^. Then PgQg = a{PgQg) = 
a{Pg)a{Qg), and Pg + Qg = a{Pg + Qg) = a{Pg) + a{Qg). This means a 
either fixes both Pg and Qg, in which case we are done, or else a interchanges 
them. In the latter case, a"^ fixes both Pg and Qg, so they are defined over 
F4. Because they are certainly defined over F2fe by ([I|), and k is odd, they 
are defined over F2fc n F4 = F2. 

Finally, we have now shown that X either is irreducible, or splits into 
two absolutely irreducible factors defined over Fg. □ 

3.3 Using the Hyperplane y = z 

We study the intersection of (j){x, y,z) = with the hyperplane y = z. 
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Lemma 3.3 (j){x,y,y) is always a square. 



Proof: It suffices to prove the result for /(x) = x'^. This is equivalent 
to proving that 1, 1) is a square. This is equivalent to showing that 

its derivative with respect to x is identically 0. This is again equivalent to 
showing that the partial derivative with respect to x of 0d(x, y, 1), evaluated 
at y = 1, is 0. In Lemma 4.1 of [6] Rodier proves that y + z divides the 
partial derivative of (pd{x,y,z) with respect to x, which is exactly what is 
required. □ 

Lemma 3.4 Let H be the hyperplane y = z. If X n H is the square of 
an absolutely irreducible component defined over ¥q then X is absolutely 
irreducible. 

Proof: We claim that for any nonsingular point P €z X f] H , the tangent 
plane to the curve X f] H at P is H. The equation of the tangent plane is 



where P = {xq, yo, zq). Since P £ H we have yo = zq. It is straightforward 
to show that (t>'x{P) = and (j)y{P) = (p'^^P), so this equation becomes 



Corollary 3.1 If f{x) = x'^ + g{x), and d = 2^ + 1 is a Gold exponent, and 
(f){x, y, y) is the square of an irreducible, then X is absolutely irreducible. 

Note that any term x'^ in g{x) where d is even will drop out when we 
calculate y, y), because li d = 2e then 



(x - xo)(t>'AP) + {y- yo)cp'{P) + iz- zo)cPUp) = o 



(y + zW(P)=0. 



But y + z = is the equation of H. 



□ 



_ x'^ + y'^ + z'^ + {x + y + z^ 
{x + y){x + z){y + z) 
{x^ + y'^ + z'^ + {x + y + zY)'^ 
{x + y){x + z){y + z) 
= <i)e{x,y,z){x'' +y'' + z" + {x + y + zf) 
= on H 



because the right factor vanishes on H. 
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In order to find examples of where we can apply this Corollary, if we 
write 

(t^{x, y, y) = {x + yf''~^ + h{x, yf 
then to apply this result we want to show that 

{x + yf'' + h{x,y) 

is irreducible. The degree of h is smaller than 2^~^ — 1. Letting t = x + y 
we want an example of h with ~^ + h(x, x + t) is irreducible. 

Example: Choose any h so that h{x, x + t) is a monomial, and then 
^2*= 1-1 _|_ j^^^^ X + t) is irreducible. 
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